Newsroom Archive

Ten tips for application security

by Godfrey Kutumela, leader of the cyber crime and security division.

Business and society are increasingly application-driven, so application security is in everybody's interest. (Many of these principles, by the way, are applicable to software development in general, not just to security, so applying them will have far-reaching benefits.)

Prevention is not only better than cure, it's much cheaper too!

These are my top 10 principles for application security:

1. Secure by design, detect by test

Use threat models intelligently to help development teams understand the attacks their software is likely to experience – and then challenge them to code defensively. By following this principle, testing will become a way of assessing how well they responded to this challenge, and not a way of identifying gaps that then have to be fixed.

2. Don't rely on fixing vulnerabilities, prevent them from occurring in the first place

This principle is the corollary of the first. I've included it to emphasise the profound change in mind-set that is required. Prevention is not only better than cure, it's much cheaper too!

3. Automate security testing

The traditional practice of developers testing each other's code, and even utilising a penetration tester at the end of the process, is no longer adequate. The complexity of the threat landscape, and the volume and velocity of applications required, are simply too great. Automated testing is much less error-prone, and can be run repeatedly throughout the development cycle – from the very first day, in fact.

4. Give the right information to the right people

There are various stakeholders within the software development life cycle, and each needs to be fed appropriate security information. For example, developers need security information relating to the source code, whereas the operations team needs information pertaining to configuration. Every effort should be made to feed the test results back to the correct stakeholders.

5. Find vulnerabilities as quickly as possible

Defensive coding based on a clear understanding of the potential threats will help to reduce security vulnerabilities occurring (first principle above), and automation will ensure testing will not be relegated to the end of the process (third principle). It's all in the name of ensuring any vulnerability is detected early on so the fix is part of the source code rather than an Elastoplast applied later.

6. Improve every day

There's no shame in making a mistake; everyone does – but software teams should work towards ways of never making the same mistake multiple times.

7. Analyse software and threats from many angles

When teams are looking at ways to avoid vulnerabilities or interpreting test results, be wary of easy consensus. Great care must be taken to examine things from many angles in order to arrive at the best solution and avoid blind spots. This might just be the most difficult principle to put into practice.

8. Leave room for people to prove you wrong

In science, a theory is only considered strong if it is able to be disproved. Similarly, in software development, it's vital for teams to keep in mind that there is always a different – and possibly, better – way of doing things. This principle ultimately promotes deeper, richer collaboration across the whole team.

9. Help colleagues to help themselves

The idea here is not just to help colleagues, but rather to give them the tools to help themselves next time around. This principle is particularly relevant to team leaders, but it applies to everybody. The goal is for each team member to be self-sufficient.

10. Make sure everything is tailored to the particular environment

When developing software securely, it's critical not to waste time, effort and money on trying to do everything. Profile the environment in which the piece of software will be operational, and thus the likely threats, and focus on securing it within that context.

Applications are central to both business and government. As such, they have become a favoured target for hackers. By learning how to integrate security into the way these applications are created, software development teams have a critical role to play in enabling the application economy.